Minnesota Governor Signs Comprehensive Privacy Law

Julie Rubash, General Counsel and Chief Privacy Officer
June 3, 2024
Minnesota Consumer Data Privacy Act was signed by the Governor


Minnesota Governor Signs Comprehensive Privacy Law

The Minnesota Consumer Data Privacy Act was signed by the Minnesota Governor as part of an omnibus bill (HF 4757), making Minnesota the 19th state to enact a comprehensive data privacy law. The law will take effect July 31, 2025.


The Minnesota Consumer Data Privacy Act most closely resembles Connecticut’s data privacy law, but it has borrowed certain aspects from other states as well. For example, Minnesota, like Oregon, will give consumers the right to request from controllers a list of specific third parties (as opposed to categories of third parties) to which personal data has been disclosed. The law also adopts several requirements from California and Colorado rules regarding the extension of consent and opt-out rights and privacy notices. In addition to provisions adopted from other states, the Minnesota law also creates some new requirements, including, most notably, requirements to maintain “an inventory of the data” that is processed and a “description of the policies and procedures” that the controller has adopted to comply with the data privacy law. 

Get the up-to-date Sourcepoint overview of US state consent and data privacy laws.

CPPA Seeks Stakeholder Input in Developing Data Broker Regulations

The California Privacy Protection Agency (CPPA) released an invitation for public comment on a number of topics under the Delete Act, a law enacted in October 2023 that, among other requirements, directs the CPPA to set up a central mechanism by January 1, 2026 to enable consumers “through a single verifiable consumer request” to request that all registered brokers delete the consumer’s personal information. The invitation for public comment requests feedback in response to specific questions related to the definition and enablement of “verifiable consumer requests”, ways to submit and receive information in a “privacy protecting way”, ways to provide and verify the status of requests, and considerations with respect to the consumer experience. Public comments can be emailed to by June 25, 2024. The CPPA will also hold a stakeholder session June 26. 


The Delete Act gives the CPPA some latitude in developing a deletion mechanism under the law, but it also imposes several required parameters for the consent and data privacy mechanism. Specifically, the mechanism must not allow the disclosure of any additional personal information to data brokers and must allow consumers to selectively exclude brokers from their deletion requests, allow consumers to alter their previous requests (by withdrawing their name from the mechanism), allow brokers to determine whether a request made through the mechanism is verifiable, be free of charge to consumers, allow for requests in any relevant language, be accessible to those with disabilities, support use of authorized agents by consumers, and allow consumers to check the status of their data privacy requests.

Some of these requirements pose challenges that are reflected in the CPPA’s request for comments. For example, how can the mechanism allow brokers to determine whether a request made through the mechanism is verifiable in a manner that can be automated across data brokers and does not allow the disclosure of any additional personal information to data brokers (particularly since the data already in the possession of a data broker or necessary to verify an individual will not be the same across data brokers)? The consumer experience, about which the CPPA is seeking feedback, will also be an important component, for example, to ensure the requirement to allow consumers to selectively exclude data brokers (and understand the meaning of deleting data from some, but not all, data brokers) is meaningful, given the number of data brokers that may be involved. 

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]